I have an incident which reads - "Activity from Expired User Identity" CRITICAL
Please can someone work me through how to investigate and resolve this incident.
Have you already followed the instructions in Investigate a notable event on Incident Review in Splunk Enterprise Security and Take action on a notable event on Incident Review in Splunk Enterprise Security in the Use Splunk Enterprise Security manual?
Thanks ChrisG for the response, I'll review these docs.